Spectra Terms and Conditions

Master Spectra Subscription Agreement

This Master Spectra Subscription Agreement, including all Exhibits (“Agreement”), is entered into as of the effective date listed on the applicable software order form (“the“Effective Date”) and is between Lighthouse Document Technologies Inc. and its affiliates with its principal place of business at 51 University Street Suite 400, Seattle, Washington 98101 (“we,” “our,” “us,” and “Lighthouse”), and Client as identified on an order form (“you,” “your,” and “Client”).  The following are an integral part of this Agreement and where not attached to the Agreement are hereby incorporated by reference: Spectra Support and Service Level Addendum (Exhibit A), the Spectra Information Security & Data Protection Addendum (Exhibit B), the Spectra Data Processing Addendum (Exhibit C), and any order forms executed between you and us.

1. Spectra SaaS Services. We will provide you with access to its self-service SaaS eDiscovery solution and customer support for a time period specified in an order form (“Services”).

2. Access and Use.

(a) Provision of Access. We grant you a non-exclusive, non-transferable right to access and use the Services during the Term (defined below), solely for use by your employees, consultants, contractors, agents, or affiliates who are authorized by you to access and use the Services under the rights granted to you pursuant to this Agreement (“Authorized Users”) in accordance with the terms and conditions herein. Such use is limited to your own internal business purposes. We will provide you the necessary access and link to allow you to access the Services within three business days following the Effective Date.

(b) Documentation License. We grant you a non-exclusive, non-sublicensable, non-transferable license to use our user manuals, handbooks, videos, and guides relating to the Services provided by us to you through Spectra (“Documentation”) during the Term solely for your own internal business purposes in connection with your use of the Services.

(c) Use Restrictions. You will not use the Services for any purposes beyond the scope of the access granted in this Agreement. You will not at any time, directly or indirectly, permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; or (iv) remove any proprietary notices from the Services or Documentation.

3. Service Levels and Support. We will make the Services and support available in accordance with Exhibit A. The access rights granted here under entitle you to the support services described in Exhibit A during your use of the Services.

4. Information Security and Data Privacy. Throughout the Term, we will maintain an Information Security Program, as outlined in Exhibit B, and will comply with all data processing requirements set out in Exhibit C.

5. Fees, Payment, and Taxes. You will pay us the fees set forth in the order form (“Fees”) in accordance with the invoicing schedule and requirements set forth in the order form. Unless otherwise stated in an order form, you agree to pay our fees within 30 days of the date of invoice in the currency stated on the order form. If you are a non-government subscriber and you fail to pay the Fees, you will be responsible for collection costs including legal fees. Amounts for Services performed do not include taxes. Unless you provide valid proof of exemption, you will also pay all applicable taxes and duties, other than taxes on our income. Invoice disputes must be notified within 15 days of receipt of invoice. If you require us to invoice through an e-billing platform, we may: (i) invoice you via email if you have not set us up for invoicing a particular matter in the platform; (ii) use the platform free of charge; and (iii) use generic time keeper codes (e.g., E118 code) when uploading invoices on the platform.

6. Confidentiality.

(a) "Confidential Information” means all administrative, technical, financial, trade secret, or other private information, not generally available to the public, including any rates or pricing information, whether or not such Confidential Information carries a proprietary legend or is transmitted verbally. Confidential Information does not include information, even if designated as such, which: (i) is or becomes generally available to the public without breach of this Agreement; (ii) can be documented was in the possession of the recipient prior to its disclosure by the discloser; (iii) becomes available from a third party not in breach of any obligations of confidentiality and without knowledge by the recipient of any breach of a fiduciary duty orobligation; or (iv) can be documented was independently developed by the recipient. 

(b) The recipient may receive Confidential Information of the discloser and the recipient shall keep such Confidential Information in confidence and protect such Confidential Information, including, but not limited to, by security measures at least as restrictive as those taken to protect its own Confidential Information, but in no case less than reasonable security measures. Except as required by law or permitted by this Agreement, the recipient shall not disclose Confidential Information to any third party (other than to its legal and financial advisors, agents, employees,and consultants on a “need to know” basis who are under obligations of confidentiality at least as restrictive as those in this Agreement), without the discloser’s prior express written consent, and the recipient shall not use any Confidential Information for any purpose other than in connection with the performance of its obligations and exercise of its rights under this Agreement. At the express written request of the discloser, the recipient shall return or destroy any Confidential Information of the discloser to the extent possible and except as otherwise needed as evidence or as required to be provided by each Party in an aggregated form to governmental authority(ies). You and we agree the Confidential Information of the discloser is and remains the property of the discloser. Disclosure or use of Confidential Information by the recipient in violation of the provisions of this Section, Confidentiality, would cause irreparable injury to the discloser; therefore, in the event either Party breaches the provisions of this Section, Confidentiality, the other Party, in addition to any other remedies it may have, is entitled to preliminary and permanent injunctive relief without having to post a bond. 

The recipient may disclose Confidential Information pursuant to an order of a court of competent jurisdiction, by rule or regulation of an administrative agency to which the recipient is subject, or subpoena, provided that, to the extent permitted by law and feasible, the recipient provides prompt written notice of such court order, requirement, or subpoena to the discloser to enable the discloser to seek a protective order, confidential treatment, or to otherwise prevent or restrict such disclosure. The recipient will reasonably cooperate, at the discloser’s expense, to assist the discloser in seeking such protective order or from otherwise preventing or restricting such disclosure. 

7. Privilege.

(a) Any data, files, documents, information, communications, media whether intangible or tangible, hardware, electronics, or equipment whether provided directly or indirectly to us through the Services shall be considered (“Client Data”). You and we recognize that some Client Data may be marked as “privileged” and/or will in fact be privileged attorney-client communication, attorney work product, or will have equivalent designations under the privilege rules of the applicable jurisdictions. Any applicable Client Data that is within the scope of communications protected by state statute or common law attorney-client privilege and/or work product will remain subject to such protection. All work described here in will be at your direction or the direction of your legal counsel.

8. Analytics.

(a) Our subcontractors, agents and third-party service providers shall be permitted to access, collect, analyze, and use data and information related to your use of the Services, provided that such data and information is used in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services (“Analytical Data”). We will use Analytical Data to improve and enhance the Services and for other development, diagnostic, and corrective purposes and may disclose Analytical Data in aggregate or in other de-identified form in connection with our business.

9. Intellectual Property, License, & Ownership.

(a) Our IP. You acknowledge that, as between us, we own all right, title, and interest, including all intellectual property rights, in and to the Services, the Documentation, and any and all intellectual property provided to you or any Authorized User in connection with the Services (“Lighthouse IP”). For the avoidance of doubt, Lighthouse IP does not include Client Data. We hereby grant you a worldwide, non-exclusive, non-transferable, non-sublicensable, fee-bearing, and limited license to use the Services solely for its internal business purposes, for the duration of this Agreement. We reserve all rights not expressly granted herein.

(b) Client Data. We acknowledge that, as between you and us, you own all right, title, and interest, including all intellectual property rights, in and to the Client Data. You hereby grant to us a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and use and display the Client Data solely to the extent necessary to provide the Services to you.

(c) Ownership. All content and Services provided to you and all IP rights therein, regardless of when created, shall be and remain our exclusive property or the exclusive property of our licensors or suppliers. All Client Data and other information that you provide to us for processing, and all IP rights therein, shall remain your exclusive property.

(d) Trials and Feedback. All trials of our Services are subject to the terms of the Agreement, unless we notify you otherwise. In the event that you or any of your Authorized Users submit any ideas, suggestions, proposed enhancements, or other feedback relating to the Services (“Feedback”), we will automatically own such Feedback without compensation to you and you hereby assign all rights in the Feedback to us.  

10. Warranties and Warranty Disclaimer.

(a) We warrant that during the Term of this Agreement the Services: (i) will conform in all material respects to the specifications set forth in the Documentation during the Term of this Agreement; (ii) will be provided in compliance with all applicable laws; and (iii) will not infringe upon any third-party’s rights. If the Services fail to meet this warranty, we will, at our option and as your sole and exclusive remedy, either return to you the amount you paid for the non-conforming Services or we will repair or replace the Services. This limited warranty does not cover problems caused by accident, your misuse of the Services, abuse or use of the Services in a manner inconsistent with this Agreement or our Documentation or guidance, or resulting from events beyond our reasonable control.

(b) You warrant that during the Term of this Agreement (i) the Client Data will be provided in compliance with all applicable laws; and (ii) you have scanned Client Data to ensure it contains no harmful code using an application that meets the current information security standards in the industry.

(c) You and we each represent and warrant that: (i) it has the full power and authority to enter into this Agreement; (ii) its execution of and performance under this Agreement does not and will not breach or cause a default under any other agreement, contract, or joint venture agreement to which it is a party; (iii) its performance hereunder will fully comply with all applicable laws, rules and regulations; and (iv) it is the rightful owner or possessor of all equipment, media, and/or other electronic devices to which either you or we are provided access. 

(d) EXCEPT FOR THE EXPRESS WARRANTY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED ON AN “AS IS” BASIS AND YOUR USE OF THE SERVICES AND RESULTS OF THE SERVICES IS AT YOUR OWN RISK.  THE PARTIES DO NOT MAKE, AND HEREBY DISCLAIM, ANY AND ALL OTHER EXPRESS AND/OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT AND TITLE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

11. Indemnification.

(a) We will indemnify, defend, and hold harmless you from and against any and all losses, damages, liabilities, and costs (including reasonable attorneys' fees) ("Losses") incurred by you resulting from any third-party claim, suit, action, or proceeding ("Third-Party Claim") that the Lighthouse IP, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party's intellectual property rights, provided that you promptly notify us in writing of the claim, reasonably cooperate with us, and allow us sole authority to control the defense and settlement of such claim, provided that we may not settle any infringement claim without your reasonable consent unless the settlement unconditionally releases you of all liability.

(b) If such a claim is made or appears possible, you agree to permit us, at our sole expense, to (i) modify or replace the Lighthouse IP, or component or part thereof, to make it non-infringing, or (ii) obtain the right for you to continue use. If neither of these alternatives are commercially reasonable, we may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to you, provided that we will refund or credit to you all amounts you paid in respect of the Lighthouse IP that you cannot reasonably use as intended under this Agreement. You agree that the foregoing is your sole remedy and our sole obligation with respect to infringement claims.

12. Limitation of Liability.

IN NO EVENT WILL EITHER YOU OR WE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF BUSINESS OR PROSPECTIVE BUSINESS OPPORTUNITIES, PROFITS, REVENUE, OR ANTICIPATED SAVINGS, DATA, INFORMATION, OR OTHER COMMERCIAL OR ECONOMIC LOSS OF THE OTHER, IN RELATION TO THIS AGREEMENT, WHETHER OR NOT THE RELEVANT LOSS WAS FORESEEABLE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EACH OF YOUR AND OUR ENTIRE LIABILITY FOR ANY CLAIMS WHICH MAY ARISE HERE UNDER SHALL BE LIMITED TO MONETARY DAMAGES IN AN AMOUNT EQUAL TO THE TOTAL FEES ACTUALLY PAID BY YOU TO US IN THE PRECEDING 12 MONTHS SUCH CLAIM AROSE. The exclusions and limitations in this Section do not apply to claims a risingfrom (i) fraud, fraudulent misrepresentation, willful misconduct, gross negligence, or conduct that demonstrates reckless disregard for the rights ofothers; (ii) negligence causing death or personal injury; or (iii) Third Party Claims.

13. Term and Termination.

(a) Term. The initial term of this Agreement begins on the Effective Date and will run through the term date listed on the order form (the "Initial Term"). After the Initial Term, this Agreement then will automatically renew on an annual basis until you or we give written notice of non-renewal at least 30 days prior to the expiration of the then-current term or as outlined below (each a "Renewal Term" and together with the Initial Term, the "Term"). After the Initial Term, we reserve the right to increase rates on an annual basis with at least 90 days’ prior notice.

(b) Termination. In addition to any other termination right set forth in this Agreement: After the Initial Term, you or we may terminate this Agreement for convenience upon 30 days prior written notice. You or we may terminate this Agreement if you or we: (i) breach any of its material obligations under this Agreement and fails to remedy such breach within 30 calendar days after receiving notice of the breach from the non-breaching party; (ii) engage in illegal activity of any type; (iii) become insolvent or bankrupt; (iv) assign all or a substantial part of its business or assets for the benefit of creditors; or (v) otherwise cease to conduct business as an ongoing concern.

(c) Suspension. We reserve the right to suspend the Services, in the event payment is more than 30 days past due.

(d) Effect of Termination. Upon termination of this Agreement: (i) you shall remain responsible for payment of all Services provided through the termination date; (ii) your access to the Services will be removed; (iii) you will discontinue use of any Lighthouse IP; and (iii) we will destroy all Client Data within 30 days.

14. Miscellaneous.

(a) Matter Conflict Checks. By default, we do not perform any matter conflicts checks as part of your use of the Services, however there is an option within the Services to request a matter conflict check. In the event that you request us to access your Spectra workspace for support, at that time we may elect, at our sole discretion, to perform a matter conflict check. In such an event, you will work with us to provide as many details as reasonably needed to perform a matter conflict check. If you refuse to allow us to perform a matter conflict check, at that time we may decline to provide you with any additional support that is specific to that matter.

(b) No Practice of Law. We are not engaged in the practice of law in any jurisdiction, and in performing the Services, are not providing any legal advice whatsoever to you. Nothing in the delivery or receipt of any Services or deliverables shall be construed or relied on as advertising or soliciting to provide any legal services, creating any attorney-client relationship, or providing any legal representation, advice, or opinion whatsoever on behalf of us or our personnel. The Services represent our opinion and interpretation of your Confidential Information as a legal technology services provider. We will rely upon your Confidential Information and representations made and provided by you or your attorneys as factually correct and will not undertake, nor be required to undertake, any independent investigation with respect to your Confidential Information.

(c) Notices. All written notices required or permitted to be given under this Agreement shall be delivered to the address specified in the applicable order form, by delivery in person, via confirmed email to: Legal@lighthouseglobal.com, national carrier requiring signature receipt, or U.S.mail with first-class postage prepaid. Notices shall be effective the earlier of actual receipt (or refusal to accept receipt, if applicable) or 5 days from the date it is sent.

(d) General. This Agreement contains the entire understanding between us with respect to the subject matter hereof and supersedes all prior and contemporaneous written or oral understandings, agreements, representations, and warranties with respect to such subject matter. The invalidity, illegality, or unenforceability of any provision herein does not affect any other provision herein or the validity, legality, or enforceability of such provision in any other jurisdiction. Neither you nor we may amend this Agreement except by written instrument signed by us both. If either you or we fail to enforce any provision or provisions of this Agreement, it won’t in any way be construed as a waiver of any such provision or provisions or prevent either you or us from enforcing each and every provision of this Agreement. This Agreement is binding upon and inures to the benefit of each of you and us and respective successors and permitted assigns. Neither you nor we will be liable by reason of any failure nor delay in the performance of obligations here under for any cause beyond your or our respective reasonable control. The provisions of this Agreement, and the rights and obligations under this Agreement that by their nature and context are intended to survive the termination or expiration of this Agreement, shall survive. This Agreement may be executed in counterparts. 

Exhibit A: Spectra Support and Service Level Addendum

This Support and Service Level Addendum (“Exhibit A”) is incorporated into the Agreement and provides the support and service level terms and conditions for the Spectra Services.  All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Support. Lighthouse shall provide, at no additional cost to Client, technical support by email to Client and/or its Authorized Users to address and respond to any inquiry or problem associated with the access and availability of the Services (“Support”). Lighthouse will respond to, correct, and rectify any failure, malfunction, or nonconformity in the Services to the Documentation, in each case, in a prompt and qualified manner, and will provide the technical support services to Client in accordance with the service level standards set forth in this Exhibit A. Requests may be submitted on a 24x7 basis via email to spectrasolutions@lighthouseglobal.com.

Support Type
Support Description
Availability
Contact
TIER 1
Primary Support
Available to all Spectra users at no cost to resolve basic user accessibility and Spectra technical issues.
9:00am to 9:00pm ET, Monday – Friday

Except US Federal Holidays
TIER 2
Spectra Experts
This is a paid service for escalated user support, issues related to matter-specific workflows, and consultative guidance on using the platform. Please refer to Pricing section for pricing details.
9:00am to 9:00pm ET, Monday – Friday

Except US Federal Holidays

“ET” means Eastern Standard Time or Eastern Daylight Time, whichever is currently in effect for the Eastern Time Zone.

2. Availability Commitment. Lighthouse commits to Services Availability as defined below:

Table 1: Availability

Service
Service Level for Each Calendar Month
Services Availability: All Services are required to be operating normally for service to be defined as  “available.”

“Actual Availability Percentage” means (((Maximum Available Time – (Downtime -  Allowable Downtime)) /Maximum Available Time)*100).

“Maximum  Available Time” means hours in each calendar month less Allowable Downtime for such calendar month or, for each calendar month, ((number of days  * 24 hours) – Allowable Downtime).

“Downtime” means the hours in each calendar month for which the Services are not available.

“Allowable Downtime” refers to normal maintenance activities that may or may not disrupt the Services, and may be performed: (A) on the third Saturday of each month  from 2:00 am – 6:00 am ET; (B) on the fourth Saturday of each month from 2:00 am – 6:00 am ET; or (C) during any additional window of time that is reasonably necessary, provided Lighthouse provides at least 72 hours' advance notice.   
Actual Availability Percentage of 99.95%

Any failure, malfunction, or nonconformity in connection with the availability of the Services as reported by Client hereunder (each, an “Issue”) arising out of the provision of Services shall be designated a Severity Level by Lighthouse as follows:

Table 2: Severity Level Descriptions

Severity Level
Impact
Example
0
Critical Impact / System Down:

Service outage or a major application problem making it impossible to use the service.
Service is not available due to system outage. Critical functions inoperative that renders the entire application inoperative; application does not save critical data correctly.  
1
Significant Impact / Severe downgrade of services:

Critical loss of application functionality, resulting in a majority of users unable to perform their normal functions.
Feature not working system-wide.

Large number of users not able to login.  
2
Minor Impact / Most of the services are functioning properly:

Impact on a small number of user base or impact on a large number of users, but only impacts limited functionality and/or a workaround exists.
System is accessible but some functional limitations that are not critical for daily operations.

Slow application response time.
3
Low Impact / Informational:

No critical impact on users.
Minor spelling errors; minor usability errors; non-critical, minor loss of functionality.

Any other Issues arising out of the Services may be designated a Severity Level by Lighthouse upon reporting them in accordance with the descriptions in Table 2.

2.1.  Response and Action Levels. When submitting an Issue, Client must (i) provide Lighthouse with all information necessary for Lighthouse to address the Issue, and (ii) respond promptly with any information reasonably requested by Lighthouse to clarify the Issue. On receipt of the Issue, Lighthouse shall respond to the Severity Level of the Issue, as outlined in Table 3 below. All time periods in Table 3 shall be counted commencing from the time an Issue is reported by Client and, with respect to status updates, from the time of the last status update.

Table 3: Response and Action Levels

Seve­rity Level
Contact
Initial Response
Status Updates
Resolu­tion Commit­ment
0
Within 30 minutes (if reported during support hours).
Issues reported outside support hours will be within 30 minutes of next support window.  
No less than every 2 hours (24x7) until resolution.
Dedicated enginee­ring resources assigned until resolution is achieved.
1
Within 30 minutes (if reported during support hours). Issues reported outside support hours, will be within 30 minutes of next support window.
No less than every 4 hours (24x7) until resolution. 
Dedicated enginee­ring resources assigned until resolution is achieved.
2
Within 1 business day.  
No less than every business day.
Dedicated enginee­ring resources assigned until resolution is achieved.
3
Within 1 business day.
As needed.
Roadmap prioriti­zation.

Initial Response: The response time for Lighthouse to respond to Client to acknowledge the issue and assign a Severity Level.

Status Updates: The frequency in which Lighthouse shall provide Client information regarding the current status of any open Issue not yet resolved.

3. Client Responsibility. Client is responsible for ensuring that its hardware and software used to access the Services meet the minimum requirements specified by Lighthouse. Minimum requirements include use of a currently supported browser, a high-speed Internet connection, and integration with a compatible email service. Professional Services are not included in this Exhibit A. Lighthouse must be able to reproduce an error in order to resolve it. Clients agree to cooperate and work closely with Lighthouse to reproduce errors, including conducting diagnostic or troubleshooting activities as reasonably requested and as appropriate.

4. Client Remedies. If Lighthouse fails to meet the Actual Availability or fails to meet its Response and Action Level for three (3) consecutive calendar months, then within thirty (30) days following the conclusion of the third consecutive calendar month, Client may terminate the applicable order form and Agreement by giving Lighthouse thirty (30) days’ prior written notice of termination, without liability for any cancellation fees, penalties or other damages associated with termination, and Client shall be entitled to a refund of unearned, prepaid fees, if any, pro-rated from the effective date of such termination through the end of the Term. Not withstanding any other term or provision in the Agreement, the remedies stated in this Section are Client’s sole and exclusive remedies for Lighthouse’s failure to meet the Actual Availability or Response and Action Level specified herein.

Exhibit B: Spectra Information Security Addendum

This Information Security Addendum (this“Exhibit B”) is incorporated into the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Information Security Program. Lighthouse agrees to maintain a written information security program of policies, procedures, and controls governing the processing, storage, transmission, and security of Client Data (the “Information Security Program”).  The Information Security Program includes industry standard practices designed to protect Client Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Lighthouse may periodically review and update the Information Security Program to address new and evolving security threats, changes to regulations and industry standard practices, and changing security technologies, provided that any such update does not materially reduce the commitments, protections, or overall level of service provided to the Client.

2. Certifications and Attestations. Lighthouse has established and maintains sufficient controls to meet the objectives stated in ISO/IEC 27001, The HIPAA Security Rule, and SSAE 16/SOC 2 Type 2 (collectively, the “Standards”) for the Information Security Program. At least once per calendar year, Lighthouse performs an assessment against such standards (“Assessment”). Upon Client’s written request, and no more than once per calendar year, Lighthouse will provide a summary of the Assessment(s) to Client. Assessments are considered Confidential Information under this Agreement.

3. Physical, Technical, and Administrative Security Measures. The Information Security Program includes the following physical, technical, and administrative measures designed to protect Client Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

3.1. Physical Security Measures.

3.1.1. Data Center Facilities: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (for example, fencing, berms, guarded gates), onsite guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor.  

3.1.2. Systems, Machines, and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access.  

3.1.3. Media: (i) Industry-standard destruction of sensitive materials before disposition of media; (ii) secure storage of damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Client Data.    

3.2. Technical Security Measures.

3.2.1. Access Administration: Access to the Services by Lighthouse employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment, consulting relationship, or change in role. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates, and two-factor authentication when required) and is accessible for administration.  

3.2.2. Logging and Monitoring: The production infrastructure log activities are centrally collected, are secured to prevent tampering, and are monitored for anomalies by a trained security team.  

3.2.3. Firewall System: Industry-standard firewalls are installed and managed to protect Lighthouse systems by inspecting all ingress and egress connections to and from Lighthouse’s network.

3.2.4. Vulnerability Management: Lighthouse conducts periodic internal and external vulnerability scans as well as independent security risk evaluations to assess threats to critical information assets, identify potential vulnerabilities, and determine remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Lighthouse will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Lighthouse’s vulnerability management and security patch management standard operating procedure, and only after such patch is tested and determined to be safe for installation on all production systems.  

3.2.5. Antivirus: Lighthouse updates anti-virus, anti-malware, and anti-spyware definitions at least daily, and centrally logs events for effectiveness of such software.  

3.2.6. Change Control: Lighthouse ensures that changes to platform, applications, and production infrastructure are evaluated to minimize risk, and are implemented following Lighthouse’s change management process.

3.3. Administrative Security Measures.

3.3.1. Data Center Security Reviews: Lighthouse performs routine reviews of each data center to ensure that they continue to maintain the security controls necessary to comply with the Information Security Program.  

3.3.2. Personnel Security: Background screenings are performed on all employees and contractors who have access to Client Data, subject to applicable law.

3.3.3. Security Awareness and Training: Lighthouse conducts a security awareness and privacy program for all personnel. Training is conducted at time of hire and annually thereafter throughout employment.  

3.3.4. Vendor Risk Management: Lighthouse maintains a vendor risk management program that assesses all vendors that access, store, process, or transmit Client Data for appropriate security controls and business disciplines.

4. Data Centerand Service Continuity. Lighthouse hosts Client Data in primary and secondary SOC 2 Type 2 or ISO 27001 certified (or equivalent) data centers. Each data center includes full redundancy (N+1) and fault tolerant infrastructure for electrical, cooling, and network systems. The deployed servers are enterprise-scale servers with redundant power to ensure maximum uptime and service availability. The system is supported by a network configuration with multiple connections to the Internet. The production database servers are replicated in near real-time to a mirrored data center in a different geographic region. Lighthouse backs up all Client Data in accordance with Lighthouse’s standard operating procedure.

5. Security Incident Management. Lighthouse monitors, analyzes, and responds to Security Incidents in a timely manner in accordance with its standard operating procedure. Depending on the nature of the incident, Lighthouse’s security group will escalate and engage response teams necessary to address an incident, including breach notification pursuant to this Agreement.

5.1. Security Incident Procedure. Lighthouse will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, and document Security Incidents and their outcomes, and (ii) restore the availability or access to Client Personal Data in a timely manner.

5.2. Notice. Lighthouse will notify Client within 48 hours after becoming aware of Security Incident. Such notice will include (i) a description of the nature of the Security Incident; (ii) a description of the likely consequences of the Security Incident; (iii) a description of any measures Lighthouse has taken or proposes to take to address and/or mitigate the Security Incident; and (iv) specify a point of contact at Lighthouse whom Client can contact about the Security Incident. Lighthouse will ensure that descriptions in the notice are detailed enough to allow Client to understand the impact of the Security Incident. If it is not possible for Lighthouse to provide all of the information required at the time of the notice, Lighthouse will provide such additional information to Client as the information becomes available thereafter. Lighthouse will take reasonable steps to mitigate and minimize any damage resulting from the Security Incident.

6. Penetration Tests

6.1. By a Third Party. Lighthouse contracts with independent third-party vendors to perform an annual penetration test on Lighthouse’s service platform to identify risks and remediation to help increase security.

6.2. By Client. No more than once a year Client may request to perform, at its own expense, an application penetration test of its instances of the provided Services. Client shall notify Lighthouse in advance of any test by submitting a request to Lighthouse and completing a penetration testing agreement. Lighthouse and Client must agree upon a mutually acceptable time for the test, and Client shall not perform a penetration test without Lighthouse’s express written authorization. The test must be of reasonable duration and must not interfere with Lighthouse’s day-to-day operations. Promptly upon completion of the penetration test, Client shall provide Lighthouse with the test results, including any detected vulnerability. Upon such notice, Lighthouse will, consistent with industry standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the services provided. Client shall treat the test results as Confidential Information under this Agreement.

7. Sharing the Security Responsibility.

7.1. Product Capabilities. The Services Lighthouse provides have the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow Authorized Users to manage passwords; and (iv) prevent access by Authorized Users with an inactive account. Client manages each Authorized User’s access to and use of the services by assigning to each Authorized User an account and role that controls the level of access to the Services.

7.2. Client Responsibilities. Lighthouse provides the online environment that permits Client to use and process Client Data. Lighthouse protects all Client Data in Lighthouse’s infrastructure equally in accordance with this Exhibit B. Client shall be responsible for:

7.2.1. Protecting the confidentiality of each Authorized User’s login and password, and managing each Authorized User’s access to the Services, and prohibiting the sharing of accounts and/or passwords.

7.2.2. Employing best practices used in Lighthouse’s industry to prevent the upload of any data containing malicious code (e.g., viruses, Trojans, ransomware, etc.) into Lighthouse’s systems. If at any time Client knows or has reason to believe it has uploaded any malicious code into Lighthouse’s systems, Client agrees to immediately notify Lighthouse and cooperate to identify and remove the malicious code from Lighthouse’s systems.

7.3. Limitations. Not withstanding anything to the contrary in the Agreement or this Exhibit B, Lighthouse’s obligations extend only to those systems, networks, network devices, facilities, and components over which Lighthouse exercises control. This Exhibit B does not apply to: (i) information shared with Lighthouse that is not data stored in its systems using the provided Services; (ii) data in Client’s local network, virtual private network (VPN), or a third-party network; or (iii) any data processed by the Client or its Authorized Users in violation of the Agreement or this Exhibit B.

8. Audits. Upon written request and at no additional charge, Lighthouse will provide to Client reasonable assistance and all information required by Client from time to time to assess Lighthouse’s compliance with this Exhibit B. Upon reasonable advance written request, Lighthouse will allow for and contribute to reasonable audits and inspections conducted by Client (or Client’s independent third-party auditor), including onsite inspections of Lighthouse’s business premises or facilities used for the provision of the Services. Lighthouse and Client shall each be responsible for their own costs in relation to any audits undertaken. The process of such audits will be mutually determined by Client in consultation with Lighthouse (covering such matters as scope, timing, costs, and confidentiality). Audits will occur no more than annually, unless requested to comply with a request from a regulatory authority or following a Security Incident.

Exhibit C: Spectra Data Processing Addendum

This Data Processing Addendum (this “Exhibit C”) is incorporated into the Agreement and governs the manner in which Lighthouse shall process Client Personal Data and only applies to the extent Lighthouse Processes such Client Personal Data.  In the event of a conflict between this Exhibit C and any other portion of the Agreement, the provision imposing the stricter data processing requirements of any conflicting provision shall control. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Role of the Parties. The parties agree that Client acts as the Data Controller of the Client Personal Data processed by Lighthouse in its provision of the Services, and Lighthouse acts as a Data Processor of the Client Personal Data.

2. Data Processing.

(a) Client will be solely responsible for determining the purposes for which and the manner in which Client Personal Data are, or are to be, processed. Lighthouse will Process Client Personal Data solely as set forth in Section 2 of this Exhibit C (the “Business Purpose”), and will not retain, use, or disclose the Client Personal Data for any purpose other than the Business Purpose. Nothing in the Agreement or this Exhibit C relieves the Data Controller of its own direct responsibilities or obligations under the applicable Data Protection Laws.

(b) Lighthouse will not Sell (as defined in the applicable Data Protection Laws) any Client Personal Data.

(c) The parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the services being rendered and not for providing Client Personal Data, and Lighthouse does not receive any Client Personal Data from Client for Lighthouse’s provisions of the Services.

(d) Lighthouse agrees that all rights, title, and interest in the Client Personal Data will vest solely in Client and that Lighthouse will have no rights, title, or interest in the Client Personal Data.

(e) Lighthouse will comply with the requirements of the Data Protection Laws in respect of the provision of the Services and otherwise in connection with this Exhibit C, and will not knowingly do anything or permit anything to be done which would lead to a breach by Client of the Data Protection Laws.

(f) Where Lighthouse processes Client Personal Data on behalf of Client, Lighthouse will, in respect of such Client Personal Data:

i. act only on written instructions and directions from Client and will comply promptly with all such instructions and directions received from Client from time to time; provided that Lighthouse will immediately inform Client if, in its opinion, an instruction infringes Data Protection Laws;

ii. not process Client Personal Data for any purpose other than for the provision of Services to Client and only to the extent reasonably necessary for the performance of this Exhibit C;

iii. not disclose Client Personal Data to any government, authority, or any other third party except as necessary for the performance of the Services, to comply with Data Protection Laws, or with the Client's prior written consent. To the extent permitted by law, Lighthouse will immediately notify Client if Lighthouse receives a request to disclose Client Personal Data. Where possible, the notice will (1) attach a copy of the request, and (2) to the extent not covered by (1), specify the identity of the requester, the scope and purpose of the request, the date of the request and any deadline for response;

iv. implement and maintain appropriate technical and organizational measures (1) to protect the security and confidentiality of Client Personal Data processed by it in providing the Services, and (2) to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and (3) as required under Data Protection Laws. Such technical and organizational measures will include the Spectra Information Security & Data Protection Addendum in Exhibit B;

v. promptly notify Client of any request made by a Data Subject under applicable Data Protection Laws in relation to or in connection with personal data processed by Lighthouse on behalf of Client; comply with all reasonable instructions from Client related to such request; and assist Client in answering or complying with any such request; and

vi. process the Client Personal Data in accordance with the specified duration, purpose, type, and categories of data subjects asset out in Schedule 1 of this Exhibit C or the applicable Client order form.

3. Cooperation and Audit Rights. Upon written request and at no additional charge, Lighthouse will provide to Client reasonable assistance and all information required by Client from time to time to assess Lighthouse’s compliance with this Exhibit C and any Data Protection Laws, and, to the extent possible, provide all necessary assistance and all information necessary for Client to comply with its obligations under applicable Data Protection Laws. Upon reasonable advance written request, Lighthouse will allow for and contribute to reasonable audits and inspections conducted by Client (or Client’s independent third-party auditor), including onsite inspections of Lighthouse’s business premises or Processing facilities for the Processing of Client Personal Data. Lighthouse and Client shall each be responsible for their own costs in relation to any audits undertaken. The process of such audits will be mutually determined by Client in consultation with Lighthouse (covering such matters as scope, timing, costs, and confidentiality). Audits will occur no more than annually unless requested to comply with a request from a regulatory authority or following a Security Incident.

4. Lighthouse Affiliates and Sub-Processors.

(a) Client acknowledges and agrees that (i) Lighthouse may retain its affiliates to process Client Personal Data on its behalf ("Sub-Processor"), and (ii) Lighthouse and Lighthouse’s affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services. Lighthouse has entered into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Exhibit C with respect to the protection of Client Personal Data.

(b) The list of Lighthouse’s Sub-Processors as of the effective date of this Exhibit C is set forth on Schedule 2.

(c) Lighthouse will notify Client in writing of a new Sub-Processor (and the respective location where the Client Personal Data is or could be Processed) to Process Client Personal Data in connection with the applicable Services. Client may object, in its reasonable discretion, to such Sub-processor within thirty (30) days after receipt of such notice by notifying Lighthouse in writing. If Client objects to the addition of a new Sub-Processor, the parties will negotiate a mutually agreeable alternative, and if no such alternative is agreed within four months of the objection, Client will have the right to terminate, without penalty, any Service for which Client Personal Data would be processed by the new Sub-Processor.

(d) Lighthouse will remain fully liable to Client for any acts and omissions of its Sub-Processors to the same extent Lighthouse would be liable if performing the services of each Sub-Processor directly under the terms of this Exhibit C.

5. Incident Management and Notification. Lighthouse maintains security incident management policies and procedures specified in Section 2, and will notify Client within 48 hours after becoming aware of Security Incident or such shorter timeframe required by the applicable authority for Security Incident reporting. Such notice will (1) include the nature of Processing and the information available to Lighthouse and (2) take into account that under applicable Data Protection Laws, Client may need to notify regulators or individuals of the following:

(a) A description of the nature of the Security Incident including, where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of Personal Data records concerned;

(b) A description of the likely consequences of the Security Incident; and

(c) A description of any measures Lighthouse has taken or proposes to take to address and/or mitigate the Security Incident; and specify a point of contact at Lighthouse whom Client can contact about the Security Incident;

Lighthouse will ensure that descriptions in the notice are detailed enough to allow Client to understand the impact of the Security Incident. If it is not possible for Lighthouse to provide all of the information required by this Section 5 at the time of the notice, Lighthouse will provide such additional information to Client as the information becomes available thereafter. Lighthouse will take reasonable steps to mitigate and minimize any damage resulting from the Security Incident.

6. Documentation. Lighthouse will maintain an accurate, up-to-date written record of all Processing of Client Personal Data performed on Client's behalf. Lighthouse will provide Client a copy or a summary of such record upon Client's request, and in any event, upon termination of the Agreement.

7. Lighthouse Personnel.

(a) Lighthouse warrants to provide training as necessary from time to time to personnel with respect to Lighthouse's obligations in this Exhibit C and/or under Data Protection Laws, to ensure that the personnel are aware of and comply with such obligations.

(b) Lighthouse will limit access to Client Personal Data to those personnel performing Services in accordance with the Agreement and ensure that any personnel with access to Client Personal Data is bound by confidentiality obligations in respect of access or Processing of such Client Personal Data.

(c) Lighthouse will comply fully with its obligations with respect to the employment of a data protection officer as required under Data Protection Laws.

8. Data Impact Assessment. Upon Client’s request, Lighthouse will provide Client with reasonable cooperation and assistance needed to fulfill Client’s obligation to carry out data protection impact assessments to Client’s use of the Services to the extent such information is available to Lighthouse. Lighthouse will provide reasonable assistance to Client in the cooperation or prior consultation with the applicable supervisory authority in the performance of its tasks relating to Section 8 of this Exhibit C, to the extent required under applicable Data Protection Laws.

9. Return and Deletion of Client Personal Data. Upon termination of the provision of the Services, Lighthouse shall within sixty (60) days, or any other applicable destruction period set forth in the Agreement, whichever is longer, destroy, or, at Client’s request, return the Client Personal Data. Lighthouse may retain Client Personal Data to the extent that it is required or authorized to do sounder applicable law and/or regulation or to the extent Client Personal Data is archived on Lighthouse’s back-up systems, in which case Lighthouse will securely isolate and protect such data from any further processing, except to the extent required by applicable law and/or regulation.

10. Survival. The provisions contained in this Exhibit C will survive the termination or expiry of the Agreement to the extent that Lighthouse continues to process Client Personal Data on behalf of Client.

11. Transfer Mechanism(s) for Personal Data Transfers. As of the Effective Date of this Exhibit C, with regard to any transfers of Personal Data from the European Union, Switzerland, the European Economic Area and/or their member states, and/or the United Kingdom to Lighthouse (including any onward transfers from Lighthouse to any Sub-Processors), in a country which does not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws, such transfer will be made pursuant to the relevant Standard Contractual Clauses (“SCC”) in accordance with the below terms and so long as such transfer mechanism is approved by the applicable supervisory authority:

(a) The parties agree that:

i. Client’s signing of an order form will be deemed to be signature and acceptance of the SCC (as applicable) and their appendices by Client as the data exporter and in the role of controller;

ii. Lighthouse provision of the Services under an order form will be treated as signing of the SCC and their appendices by Lighthouse, as the data importer and in the role of processor;

iii. Details required under the SCC’s Appendix 1 are available in Schedule 2 to this Exhibit C and under the SCC’s Appendix 2 are outlined in Section 2 of this Exhibit C. In the event of any conflict or inconsistency between this Exhibit C and the SCC, the SCC will prevail.

(b) With regards the UK Clauses, the parties agree that:

i. Section 4 of this Exhibit C represents Client’s express consent regarding existing and new Sub-Processors under Clause 5(h) of the UK Clauses. If Lighthouse transfers Client Personal Data to a Sub-Processor who is located outside of the United Kingdom, Lighthouse shall ensure it enters into a data transfer mechanism approved by the applicable supervisory authority that ensures an adequate level of data protection. Evidence of such data transfer mechanism shall be provided by Lighthouse to Client upon Client’s request. Copies of the Sub-Processor agreements that must be provided by Lighthouse to Client pursuant to Clause 5(j) of the UK Clauses may have all commercial information, or clauses unrelated to the UK Clauses or their equivalent, removed by Lighthouse beforehand; and such copies will be provided by Lighthouse to Client upon request by Client.

ii. Audits pursuant to Clause 5(f) and Clause 12(2) of the UK Clauses will be carried out in accordance with Section 3 of this Exhibit C.

iii. The Parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the UK Clauses will be provided by Lighthouse to Client upon Client’s request.

iv. The phrase “the law of the Member State in which the data exporter is established,” or similar phrase, in the UK Clauses shall be construed as references to the laws of the United Kingdom and the governing law of the UK Clauses shall be the United Kingdom.

v. Without prejudice to the other rights of a data subject under the UK Clauses, a data subject shall be granted the right to refer disputes under the UK Clauses to the courts of the United Kingdom.

(c) With regards the EU Clauses, the parties agree that:

i. Client and Lighthouse shall be subject to the Module 2 provisions of the EU Clauses;

ii. Clause 7 (Docking clause) is incorporated;

iii. Section 4 of this Exhibit C represents Client’s express consent regarding existing and new Sub-Processors under Clause 9(a) (Option 2) of the EU Clauses and, in accordance with Clause 9(a), a period of two weeks' advance notice must be given for any intended changes to the list of Sub-Processors;

iv. Option 2 of Clause 17 (Governing law) shall apply and the laws of the Member State where the data was exported from shall govern the EU Clauses;

v. In accordance with Clause 18 (Choice of forum and jurisdiction), the courts of the Member State from where the data was exported will resolve any dispute arising out of the EU Clauses.

12. Updates to Exhibit C’s terms. Lighthouse may update and amend the terms and conditions of this Exhibit C from time to time as may be required to ensure compliance with Data Protection Laws and will provide notice of such update to Customer.

13. Definitions. The following additional definitions apply to this Exhibit C.

“Affiliate” has the meaning defined in the Agreement.

"Data Controller" (or simply "Controller") and "Data Processor" (or simply "Processor") or terms addressing similar data protection and privacy roles, have, in respect to each relevant jurisdiction, the meanings given to those terms under the applicable Data Protection Laws for that jurisdiction.

“Data Protection Laws” means any applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”), and its implementing regulations, and the Data Protection Act 2018, which is the implementation of the United Kingdom’s General Data Protection Regulation (“UK GDPR”), as the same may be amended from time to time and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements, or codes of practice applicable to Processor’s Processing of Client’s Personal Data. 

“Data Subject” or"Individual" has the meaning given to it in the Data Protection Laws.

“EEA” shall mean the European Economic Area (European Union countries, Iceland, Lichtenstein, and Norway).

“Personal Data” shall, in each relevant jurisdiction, have the same meaning as the term “Personal Data,” “personal identifiable information (PII),” “Personal Information,” or the equivalent under the applicable Data Protection Laws for that jurisdiction.

“Processing” has, in each relevant jurisdiction, the meaning given to (or in the nearest equivalent term) in the applicable Data Protection Laws for that jurisdiction, and "process," "processes," and "processed" will be interpreted accordingly.

“Security Incident” means any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access of Client Personal Data.

“Special Categories of Data” has, in each relevant jurisdiction, the meaning given to it (or to the nearest equivalent term) in the applicable Data Protection Laws for that jurisdiction.

“Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of personal data to processors established in third countries outside the European Economic Area, which are based on the Commission Decision of 4 June 20212021/914 (EU), as may be amended or replaced from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation there to and (ii) standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the United Kingdom General Data Protection Regulation 2018, as may be amended or replaced from time to time by the United Kingdom and at the time being in force in the United Kingdom (the “UK Clauses”).

“Special Categories of Data” has, in each relevant jurisdiction, the meaning given to it (or to the nearest equivalent term) in the applicable the Data Protection Laws for that jurisdiction.

Schedule 1 to Data Processing Addendum

Details of the Processing

Nature and Purpose of Processing
Lighthouse will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Client in its use of the Services.

Duration of Processing
Subject to Section 10 of Exhibit C, Lighthouse will Process Personal Data for the duration of the Services.

Categories of Data Subjects
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

Employee data (current and former employees, contractors); Client, competitor, and supplier data that may be relevant to the matter or project at hand.

Type of Personal Data
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

Various categories, including internal, external, historical, social, criminal convictions, financial and/or tracking, that may be relevant to the matter or project at hand. Various special categories (e.g., data revealing health, racial, or ethnic origin; political opinions; religious or philosophical beliefs; union membership, etc.) that may be relevant to the matter or project at hand.

Details relevant for the Appendix to Standard Contractual Clauses

Annex 1.A. List of Parties

Data Exporter
Name and address: Client’s name and address as listed on the applicable order form.
Contact person’s name, position, and contact details: Client’s contact person as listed on the applicable order form.
Activities relevant to the data transferred under the Standard Contractual Clauses: The services provided under the order form that is relevant to the data processing.
Signature and date: Please see Clause 11 of this Exhibit C.
Role (controller/processor): Controller

Data Importer
Name and address: Lighthouse Document Technologies Inc., 51 University Street, Suite 400, Seattle, Washington 98101
Contact person’s name, position, and contact details: Michael Miller, Senior Vice President Business Development and Sales, mmiller@lighthouseglobal.com
Activities relevant to the data transferred under the Standard Contractual Clauses: The services provided under the order form that is relevant to the data processing.
Signature and date: please see Clause 11 of this Exhibit C.
Role (controller/processor): Processor

Annex 1.B. Description of Transfer

Data Subjects Whose Personal Data Is Transferred
The Personal Data transferred concern the following categories of Data Subjects: Employee data (current and former employees, contractors); Client, competitor, and supplier data that may be relevant to the matter or project at hand.

Categories of Personal Data Transferred
The Personal Data transferred concern the following categories of data: Various categories, including internal, external, historical, social, financial, and/or tracking, that may be relevant to the matter or project at hand.

Sensitive Data Transferred (if appropriate) and Applied Restrictions or Safeguards
The Personal Data transferred concern the following special categories of data: Various categories (e.g., data revealing health, racial or ethnic origin; political opinions; religious or philosophical beliefs; union membership, criminal convictions, etc.) that may be relevant to the matter or project at hand. Applied restrictions and safeguards are defined in Section 2 of Exhibit C.

Frequency of the Transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Transfer of data will occur on a matter-by-matter basis, as determined by the Controller.

Nature of the Processing
Lighthouse, acting as a Processor, will, depending on the scope of its engagement, Process the Personal Data to perform the Services, to comply with its statutory and regulatory obligations, to maintain accounts and records, and to conduct analysis in order to improve its products and services. This will involve, among other things, the collection, storage, analysis, and disclosure of Personal Data that Supplier receives from the Controller in accordance with the Agreement.

Purpose(s) of the Data Transfer and Further Processing
The purpose of the processing is the provision of Services pursuant to the Agreement.

Period for Which the Personal Data Will Be Retained, or, if That is Not Possible, the Criteria Used to Determine That Period
Personal data will be retained for the duration of the provision of Services pursuant to the Agreement. Upon termination of the Agreement, Personal Data will be deleted in accordance with Controller’s instructions.

For Transfers to (Sub-) Processors, Also Specify Subject Matter, Nature, and Duration of the Processing: As Set Forth Below in Schedule 2.

Annex 1.C. Supervisory Authority

Member State where the data was exported from.

Annex II. Technical and Organizational Measures to Ensure the Security of the Data

Please see the Data Security Standards attached to the Agreement. Lighthouse shall ensure that any Sub-Processors are subject to, and comply with, standards no less onerous than the Data Security Standards attached to this Agreement.

Annex III. List of Sub-Processors

Please see Schedule 2 of this Exhibit C.

Schedule 2 to Data Processing Addendum

Sub-Processors

List for each Sub-Processor: Name, address, contact person’s name, position, location of where the personal data is processed, and Description of Processing of Sub-Processor including Subject Matter, Nature, and Duration of Processing.

1.

Name: Lighthouse eDiscovery Europe, Ltd.

Address: 1 King William Street, London EC4N 7AF United Kingdom

Contact person’s name, position and contact details: Martin Carey, Managing Director, Europe, mcarey@lighthouseglobal.com

Description of processing: Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Provision of the Services for requested UK or EU data; assistance with the Services for off hours.

2.

Name: Iota Analytics Pvt. Ltd.

Address: C-138, Phase VIII, Industrial Area, Mohali, Punjab-160059, India

Contact person’s name, position and contact details: Ishika Aggarwal, Director, ishika@iotaanalytics.com

Description of processing: Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Third-shift, back-end support. Provides general staff augmentation, 24/7 basic, labor-intensive tasks (e.g., processing and conversion of native documents to tiff format). At no time does Iota remove data from Processor’s US datacenter or provide any substantive review/input.

3.
Name: H5 Asia Pacific Pvt. Ltd.
Address: SMARTWORKS, 2nd floor, Fleet House, Marol Naka Metro Station, Gamdevi, Marol, Andheri (East), Mumbai, India 400059 
Contact person’s name, position and contactdetails: Adarsh Valecha, Director of Finance and Operations, avalecha@lighthouseglobal.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Will process Personal Data as necessary to assist Lighthouse in its performance of its Processor obligations; assistance with the Services for off hours. 

H5 is now Lighthouse

Read the press release